# 作者: YYJ
# 2025年07月25日13时37分39秒
# 2486249622@qq.com

from pymysql import *

def sql_injection():
    find_id = input('请输入查询id:')
    conn = connect(host='192.168.88.134', port=3306, user='root'
                   , password='123', database='python10', charset='utf8')
    cursor = conn.cursor()
    # 不安全写法:字符串拼接
    # sql = ("select * from goods wherer id=%s" % find_id)    # SQL注入:1 or 1=1 恒真，where失效
    sql = ("select * from goods where id=%s")
    # 安全写法
    params = [find_id]
    count = cursor.execute(sql, params)    # 在execute处引入参数
    print(f'查询到{count}条数据')
    print(cursor.fetchall())
    cursor.close()
    conn.close()

if __name__ == '__main__':
    sql_injection()